A “botnet” is a collection of infected computer devices, each of which is known as a “bot” or “node”, connected to a network such as the Internet. Computer devices that are connected to the Internet may be vulnerable to being recruited into a botnet. Computer devices can be recruited into a botnet in a number of ways, for example by a drive-by-download or Trojan-horse malware. Once a computer device has been recruited, a botnet controller will be able to make a connection to the computer device, and command it to perform malicious activities, for example attack other computer devices, host malicious websites, upload personal data or install other malicious modules on the device. The botnet controller will typically be able to command and control the whole botnet or any node (recruited computer device) within the botnet via for example IRC or HTTP. A connection can be made to a node through a number of pathways using the other nodes within the botnet. This means that if one connection attempt to a node is unsuccessful, the botnet controller should still be able to make a connection to that node via a different pathway. Of course, if the botnet controller is unable to make any connection to the node, then the effects of the botnet on that device will be negligible.
There are a number of existing prevention measures that are typically carried out to try and detect activities on a computer device that are indicative of botnet attacks or behaviour. One example is a network based intrusion detection system (NIDS). A NIDS is an independent platform that identifies intrusions by examining network traffic and monitoring multiple hosts. A NIDS gains access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are typically located at choke points in the network to be monitored. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic. Most results returned from the NIDS are from network packet analysis, but because NIDSs are typically heuristic in nature, they are not always reliable.
Protection of users' computer devices (client computers) can be made more effective by denying any connections to known compromised IP addresses. This could be done through Internet security software, for example F-Secure Internet Security™. However, a botnet may consist of a very large number of nodes, and an infected client computer may connect to a different node IP address each time a connection is made between the infected client computer and the rest of the botnet. Therefore, for software to have a high level of reliability against botnet attacks, it is required that all (or realistically as many as possible) compromised IP addresses within a botnet are known. Discovering all the compromised IP addresses for the nodes within a botnet is a challenging task. But if successful, it can provide much more reliable protection against botnet attacks by blocking connection attempts between a computer and the botnet.
Two existing methods of discovering botnets and their nodes are described in US2010/0162396 and US2011/0154492. For example, in US2011/0154492 the botnet detection system is provided in an Internet Service Provider's (ISP) network. Existence of a botnet will be detected based on network traffic information collected by botnet traffic collecting sensors within the ISP's network. Once a botnet is detected, it can be further analysed by the detection system using a number of analyzers, for example a botnet group analyzer, organization analyzer, behaviour analyzer etc. This further analysis is used to discover as many nodes within the botnet as possible. This method requires a complex detection system to be put in place by ISPs that monitors all network traffic. Then the analysis performed once a botnet has been detected can be very processor intensive. Once a botnet has been detected and analysed, malicious traffic that uses the botnet can then be isolated.